Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3ChangeIt21...iA.exe
windows7-x64
7ChangeIt21...iA.exe
windows10-2004-x64
7ChangeIt21...iW.exe
windows7-x64
7ChangeIt21...iW.exe
windows10-2004-x64
7ChangeIt211/Setup.exe
windows7-x64
6ChangeIt211/Setup.exe
windows10-2004-x64
6ChangeIt211/Setup.msi
windows7-x64
6ChangeIt211/Setup.msi
windows10-2004-x64
6Analysis
-
max time kernel
158s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07/11/2023, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
ChangeIt211/InstMsiA.exe
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral2
Sample
ChangeIt211/InstMsiA.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ChangeIt211/InstMsiW.exe
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral4
Sample
ChangeIt211/InstMsiW.exe
Resource
win10v2004-20231023-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ChangeIt211/Setup.exe
Resource
win7-20231023-en
windows7-x64
Behavioral task
behavioral6
Sample
ChangeIt211/Setup.exe
Resource
win10v2004-20231025-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ChangeIt211/Setup.msi
Resource
win7-20231025-en
windows7-x64
Behavioral task
behavioral8
Sample
ChangeIt211/Setup.msi
Resource
win10v2004-20231023-en
windows10-2004-x64
General
-
Target
ChangeIt211/Setup.exe
-
Size
64KB
-
MD5
1b7af5de542aced976404383416f6722
-
SHA1
1f28ddc8dbfc58a6c627669e56673d914a9a6c5c
-
SHA256
f7fb208405fdbb321f10a161fc3b785706d2cea17b30d2d2196f03e900a79126
-
SHA512
04f3615149839cdd2737d6a837fc69d2ab181b94a4563b67eaf95d76b8a4009dba0f02b4bcefa1c5a5fb496dd80a15f373214e71c3612016f19265c3b28ddda5
-
SSDEEP
1536:Sv6jLwUkDK9VTR79jdqgr69rhswJlXOPJ6XcfU:SewUdV79jdaD+PJ6XcfU
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: MsiExec.exe File opened (read-only) \??\T: MsiExec.exe File opened (read-only) \??\O: MsiExec.exe File opened (read-only) \??\P: MsiExec.exe File opened (read-only) \??\U: MsiExec.exe File opened (read-only) \??\V: MsiExec.exe File opened (read-only) \??\Z: MsiExec.exe File opened (read-only) \??\B: MsiExec.exe File opened (read-only) \??\G: MsiExec.exe File opened (read-only) \??\S: MsiExec.exe File opened (read-only) \??\W: MsiExec.exe File opened (read-only) \??\Y: MsiExec.exe File opened (read-only) \??\N: MsiExec.exe File opened (read-only) \??\R: MsiExec.exe File opened (read-only) \??\H: MsiExec.exe File opened (read-only) \??\I: MsiExec.exe File opened (read-only) \??\K: MsiExec.exe File opened (read-only) \??\L: MsiExec.exe File opened (read-only) \??\M: MsiExec.exe File opened (read-only) \??\Q: MsiExec.exe File opened (read-only) \??\A: MsiExec.exe File opened (read-only) \??\E: MsiExec.exe File opened (read-only) \??\X: MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2688 MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 2688 MsiExec.exe Token: SeIncreaseQuotaPrivilege 2688 MsiExec.exe Token: SeRestorePrivilege 2868 msiexec.exe Token: SeTakeOwnershipPrivilege 2868 msiexec.exe Token: SeSecurityPrivilege 2868 msiexec.exe Token: SeCreateTokenPrivilege 2688 MsiExec.exe Token: SeAssignPrimaryTokenPrivilege 2688 MsiExec.exe Token: SeLockMemoryPrivilege 2688 MsiExec.exe Token: SeIncreaseQuotaPrivilege 2688 MsiExec.exe Token: SeMachineAccountPrivilege 2688 MsiExec.exe Token: SeTcbPrivilege 2688 MsiExec.exe Token: SeSecurityPrivilege 2688 MsiExec.exe Token: SeTakeOwnershipPrivilege 2688 MsiExec.exe Token: SeLoadDriverPrivilege 2688 MsiExec.exe Token: SeSystemProfilePrivilege 2688 MsiExec.exe Token: SeSystemtimePrivilege 2688 MsiExec.exe Token: SeProfSingleProcessPrivilege 2688 MsiExec.exe Token: SeIncBasePriorityPrivilege 2688 MsiExec.exe Token: SeCreatePagefilePrivilege 2688 MsiExec.exe Token: SeCreatePermanentPrivilege 2688 MsiExec.exe Token: SeBackupPrivilege 2688 MsiExec.exe Token: SeRestorePrivilege 2688 MsiExec.exe Token: SeShutdownPrivilege 2688 MsiExec.exe Token: SeDebugPrivilege 2688 MsiExec.exe Token: SeAuditPrivilege 2688 MsiExec.exe Token: SeSystemEnvironmentPrivilege 2688 MsiExec.exe Token: SeChangeNotifyPrivilege 2688 MsiExec.exe Token: SeRemoteShutdownPrivilege 2688 MsiExec.exe Token: SeUndockPrivilege 2688 MsiExec.exe Token: SeSyncAgentPrivilege 2688 MsiExec.exe Token: SeEnableDelegationPrivilege 2688 MsiExec.exe Token: SeManageVolumePrivilege 2688 MsiExec.exe Token: SeImpersonatePrivilege 2688 MsiExec.exe Token: SeCreateGlobalPrivilege 2688 MsiExec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2688 MsiExec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2688 2712 Setup.exe 29 PID 2712 wrote to memory of 2688 2712 Setup.exe 29 PID 2712 wrote to memory of 2688 2712 Setup.exe 29 PID 2712 wrote to memory of 2688 2712 Setup.exe 29 PID 2712 wrote to memory of 2688 2712 Setup.exe 29 PID 2712 wrote to memory of 2688 2712 Setup.exe 29 PID 2712 wrote to memory of 2688 2712 Setup.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\ChangeIt211\Setup.exe"C:\Users\Admin\AppData\Local\Temp\ChangeIt211\Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\MsiExec.exe/i "C:\Users\Admin\AppData\Local\Temp\ChangeIt211\Setup.msi"2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2688
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2868